Security at Modelux.
We're an LLM control plane — we sit on the path of every request your team sends to a frontier model. Security isn't a feature here; it's the table stakes. This page is the short version of how we approach it. Last updated 2026-04-14.
Six things we won't compromise on.
Encrypt everything
TLS 1.2+ for all traffic. Provider credentials, API keys, and webhook signing secrets are encrypted at rest using envelope encryption with KMS-managed keys. Plaintext credentials are never logged.
Least privilege
Production access is restricted to a small set of named engineers, gated by SSO + hardware keys, and audit-logged. Service accounts run with the minimum IAM scopes they need.
BYO keys
Modelux is bring-your-own-keys. We never share your provider credentials with anyone but the corresponding provider, and we never act outside the bounds of the requests you route through us.
No training on your data
We do not use your inputs, outputs, request logs, or telemetry to train, fine-tune, or evaluate any machine-learning model — ours or anyone else's.
Tenant isolation
Postgres rows are scoped by org ID and protected by application-layer access checks. Analytics queries use row-level filters. Cross-tenant data leakage is covered by automated tests in CI.
Defense in depth
WAF in front of every public endpoint. Rate limits per API key. Webhook deliveries are HMAC-signed. The dashboard enforces strict CSP and SameSite cookies.
Where we stand on certifications.
We're transparent about what's done, in flight, and on the roadmap. If there's a framework you need that isn't listed, email security@modelux.ai.
| Framework | Status | Notes |
|---|---|---|
| SOC 2 Type II | In progress | Targeting Q3 2026. |
| GDPR | Compliant | DPA available on request; SCCs for international transfers. |
| CCPA / CPRA | Compliant | See Privacy Policy section 11. |
| HIPAA | Not certified | Available under Enterprise BAA on request; not generally in scope. |
| ISO 27001 | Roadmap | Planned post-SOC 2. |
Day-to-day engineering practices.
Vulnerability management
Automated dependency scanning runs on every PR and nightly. Container images are scanned at build. Critical vulns are patched within 72 hours; high within 7 days.
Penetration testing
Annual third-party pen test. Most recent report available to Enterprise customers under NDA.
Backups & recovery
Daily Postgres snapshots with 30-day retention. ClickHouse exports retained per plan tier. Disaster-recovery plan tested quarterly.
Incident response
Documented runbook with on-call rotation. Customer notification of confirmed breaches within 72 hours, consistent with GDPR Article 33.
Code review
All production changes go through pull request with at least one reviewer. Direct pushes to main are blocked. Migrations are reviewed by a second engineer.
Secret management
Application secrets stored in a managed secrets manager. No secrets in environment variables on developer machines. Secrets rotated quarterly or on personnel change.
Who has access to your data.
We work with a small set of vetted sub-processors, each under a data-processing agreement. The full list with purpose and data scope lives in the privacy policy . Enterprise customers get 30 days' notice before any material change.
- ▸ AWS, ClickHouse Cloud, Cloudflare — infrastructure
- ▸ OpenAI, Anthropic, Google, Azure, Bedrock, Groq, Fireworks — LLM providers (only requests you route to them)
- ▸ Stripe — payments
- ▸ SendGrid — transactional email
Found something? Tell us.
We welcome reports from the security community. Email security@modelux.ai with details and a way to reproduce. We'll acknowledge within 2 business days, fix critical issues within 72 hours, and credit you in the changelog if you wish.
In scope
- ▸ modelux.ai, app.modelux.ai, api.modelux.ai
- ▸ Modelux SDKs (Python, TypeScript) on PyPI/npm
- ▸ Authentication, authorization, tenant isolation, credential handling
Out of scope
- ▸ Issues in third-party LLM providers (report to them directly)
- ▸ Denial-of-service attacks, social engineering, physical attacks
- ▸ Findings on staging or development environments
- ▸ Self-XSS or CSRF on logged-out forms
We commit to not pursue legal action against good-faith researchers acting in accordance with this policy.
Need a security review or DPA?
Enterprise customers can request our security questionnaire, pen-test summary, SOC 2 progress letter, and a signed DPA. Email security@modelux.ai and we'll get back within one business day.